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Cloud computing systems consist of a pool of Virtual Machines (VMs), 
which are installed physically on the provider's set up. The main aim of the 
VMs is to offer the service to the end users. With the current increasing 
demand for the cloud VMs, there is always a huge requirement to secure the 
cloud systems. To keep these cloud systems secured, they need a continuous 
and a proper monitoring. For the purpose of monitoring, several algorithms 
are available with FVMs. FVM is a forensic virtual machine which monitors 
the threats among the VMs. Our formulated algorithm runs on FVM. In this 
paper, we formulate the Random-Start-Round-Robin algorithm for 
monitoring inside FVM. 
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1. INTRODUCTION 

The concept of cloud computing can be understood as a combination of two related concepts. First, 
the applications which are transported as services over the Internet. Second, the hardware and the software 
components that are supporting these respective services in the data centers [1]. Cloud systems could be 
designed according to cloud providers and user needs [2]. However, other different reasons could control the 
design architecture of cloud computing. For example, security aspects should be considered in designing the 
cloud systems. [3, 4]. 

Some of the previous studies related to designing an architecture for the homogeneous computing 
systems include [5-10] used homogeneous structure. However, there are different architecture as in [11], 
where the authors used the hierarchical structure called as HASBE (hierarchical attribute-set-based 
encryption). The main reason for using this type of structure is to enhance the security of Cloud systems [11]. 
Furthermore, Ganglia [12] uses a hierarchical designed as a distributed monitoring system for cluster and 
other high-performance computing systems. This paper proposes an algorithm using the same technique. 

The hierarchical structure for this paper includes three different levels of architecture. First, the 
virtual gateways that are defined as the software run by the cloud operator to make cloud resources available 
to the cloud customers [13]. It secures the user data and allows cloud providers to have better monitoring of 
their data efficiently [14]. Virtual gateway could have several virtual clusters. Second, the virtual clusters 
which are comprised of virtual machines (VMs) Those virtual machines are installed on distributed servers. 
The VMs in a cluster are interconnected by a virtual network. The target is to have a different number of 
clusters. FVMs and VMs will be distributed among clusters. A virtual cluster comprises several Virtual 
Machines (VM). Third, the VM that configured to be consistent in one cluster to share physical 
resources [15]. 
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The evaluation of the problem in this paper for an efficient monitoring of cloud systems is to trace 
out the symptoms of malicious behavior in the VMs. For this purpose, the simplified Virtual Machines 
known as Forensic Virtual Machines (FVM), for performing cloud monitoring. The monitoring is done by 
visiting or inspecting VMs (regularly) to see whether they have the found the symptoms or not? The main 
contribution of this paper is to study the impact of the new proposed algorithm in the hierarchical structure of 
a cloud system that influences the efficiency of the monitoring of FVMs, and how to implement it in an 
efficient way. We start with a short review of previous work and related material, followed by a description 
of the new model including ways of discovering symptoms in a hierarchical structure. Finally, we present the 
results of simulations and provide conclusions to our findings. 


2. PREVIOUS WORK 

The main idea of cloud monitoring is to be able to frequently inspect VMs by several FVMs. FVMs 
are typically autonomous simplified VMs with limited computability and communication. This concept was 
more formally defined in the context of Cloud security in [16, 17], where a mobility algorithm was defined 
for the general purpose of searching for symptoms and discovering their dangerous configurations. The 
mobility algorithm has become an important tool for cloud monitoring providing light way security, though it 
is difficult to analyze due to its complexity including security aspects. The simplified version of it, called 
Reduce-Max algorithm, was formally specified and analyzed in more depth in [18]. The aim of the Reduce- 
Max algorithm was only to monitor the system by assuring frequent visits to VMs for identification of 
symptoms, without taking into consideration additional criteria imposed by security objectives. Next, we 
provide more detail explanation of Mobility and Reduce-Max algorithms. 

2.1. Mobility algorithm 

The authors in [17] proposed a formula (1) to assess the urgency of visiting a Virtual Machine v: 

f( » = ^-oifSr va/(Ci)+ Kv)T 

where Disc (ci; v) is the number of symptoms inside one configuration ci discovered at VM v, size(ci) is the 
number of potential symptoms in configuration ci, val (ci) is an assigned value saying how dangerous the 
symptoms are for this configuration, (v) is a value associated with delay at VM v (also called a weight of v) 
and T is the current time minus the last time when VM v was visited by an FVM. In the proposed mobility 
algorithm, each FVM chooses randomly the next VM to visit from some range of VMs v with the highest 
value f(v). 

2.2. Reduce-max algorithm 

The author in [18] introduced a simplified version of the Mobility algorithm, called Reduce-Max 
algorithm. In this algorithm, a decision about the next visited VM v is made by considering the (highest) 
value of a simplified function f(v)=T(v). In [18], this algorithm was analyzed for five different weighting 
configurations of VMs: (uniformly) random, uniform, arithmetic, harmonic, and exponential. Some of these 
sets of weights will be considered in this paper. 

2.3. Two ways of implementing reduce-max for many FVMs 

In [19], there was a further development of Reduce-Max algorithm supported by a deeper analysis. 
The paper distinguished two ways of implementing the Reduce-Max algorithm in case of many FVMs: 
deterministic coordinated reduction and randomized local reduction. Deterministic coordinated reduction 
means that each i-th FVM inspects the exact i-th highest weighted VMs v (the value f(v) of this VM will be 
reduced to zero after the visit). Randomized local reduction, on the other hand, allows each FVM to choose 
randomly VM(v) from a given range of highest values of f(v), say, from the k FVMs v with the highest 
values f(v), for some parameter. In [19], the tested ranges of highest VMs (chosen randomly by a FVM) were 
set up from 1 to 16. The same five configurations of weights as in [18] were tested for the Reduce-Max 
algorithm in both the considered versions (deterministic and randomized). 

2.4. Hierarchical model 

The simulations in this paper are performed in a hierarchical tree system, which is one of the real 
structures of the Cloud. This structure firstly used for the work of monitoring VMs in [20]. Two sets of 
weighting VMs are used here in this paper and were already studied in the context of a non-hierarchical 
homogeneous system in [19]: uniform and random. The reason of studying them here is that these sets of 
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weights have better results and the monitoring when using them was most efficient inhomogeneous systems, 
therefore it is natural to study them in the hierarchical system. 

Poisson distribution has also been used and considered in [21] in the context of homogeneous 
systems, in addition to these two sets of weights. Poisson distribution will be used here too. The findings in 
[20] show how the performance of monitoring depends on these different configurations. The performance of 
monitoring measured as the maximum waiting time (or, alternatively, as the maximum accumulated weight 
since the last visit of an FVM), depends on the number of clusters. 


3. THE CONTRIBUTION OF THIS WORK 

After previous versions of the Reduce-Max algorithm, an efficient algorithm for the work of 
monitoring cloud systems is used in this paper. The algorithm is named a Random-Start-Round-Robin 
algorithm. For the Reduce-Max algorithm, the reduction was from the highest weighted VMs (even with its 
two versions, the reduction either of the exact highest weighted VMs or from a range of highest values). 

However, with the Random-Start-Round-Robin algorithm, the way of reduction is different. One of 
VMs is selected randomly by one of FVMs. After that, this specific FVM inspects the selected VM after 
visiting it, wherever its position and not necessary it has the highest weight, then, this FVM inspects all VMs 
in round robin fashion. All other FVMs follow the same procedures. 


4. MODEL DESCRIPTION 

The new algorithm in this paper is considered in the cloud model of the tree structure. This structure 
includes three levels: gateway level clusters level and nodes level. 

4.1. Methodology 

In this work, Random-Start-Round-Robin algorithm is different from the previously described ones. 
Here, the results of each two versions of the Reduce-Max algorithm has been used to have a good 
comparison with the new algorithm results. What distinguishes this algorithm from the previous ones is that 
this time the reduction is as follows. FVMs choose one of VMs randomly in the first round then the visits to 
all VMs are in a round robin fashion. 

The assumption is fixed from previous works. There is one physical host. The host has 1024 VMs in 
total, organized into the tree structure. The sets also are fixed, and they are Uniform, Random distribution for 
two different ranges (3 and 15) and Poisson distribution of weights for two different parameters (2 and 8). 
For each data set, the results will be for 1, 2, 4, 8 and 16 Clusters. More explanations about datasets are down 
in this paper. 

For each set of parameters, each execution runs for 500000 rounds and compute the total max. 
Total-Max is the highest weighted latency ((v)T (v)) between two visits to a VM that can be observed from 
the whole system. The problem is to schedule the visit of FVMs to VMs. The main functional objective is to 
minimize the latencies of visiting VMs. This means minimizing Total-Max. After that, for each total max, the 
execution is repeated 100 times and take the average; we do it to avoid random fluctuation of the results. 

As explained above, five sets of data for weighting VMs are used, which have been used also in 
papers [19-21]. Total-Max in this paper is the highest weighted latency A,(v)*T(v) between two visits to a VM 
that can be observed from the whole system. The problem is to schedule the visit of FVMs to VMs. The main 
functional objective is to minimize the latencies of visiting VMs. This means minimizing Total-Max. 


5. RESULTS 
5.1. Uniform weights 

We start with the results of Uniform weights studied for the Random-Start-Round-Robin algorithm. 
Uniform inputs in this paper mean that all VMs are equal in regard to weights; without loss of generality, it 
could be assumed that all of the weights of VMs are ones [8]. The experiments were done using 16 FVMs 
and for 1, 2, 4, 8 and 16 Clusters as following. 

In Figure 1, it can be seen clearly that the results of the total max of the Random-Start-Round-Robin 
algorithm are much better of the best result of the Randomized-Local version of the Reduce-Max algorithm, 
especially for smaller numbers of clusters. The result in Figure 1, for one cluster in the system, is around 
0.23, which is better than the best result of the Randomized-Local version that is above 0.6. However, the 
Deterministic-Coordinated version of Reduce-Max with the same settings shows the result of 0.062 that is 
not only better than the Randomized-Local version but also better than Random-Start-Round-Robin 
algorithm’s result. 
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Figure 1. Total max of random-start-round-robin algorithm for uniform weights 


Then, the results of a Random-Start-Round-Robin go down towards 0.063 when 16 clusters applied, 
which is really close to Deterministic-Coordinated results. Moreover, the best results of Randomized-Local 
version of Reduce-Max are de-creasing too with the increasing number of clusters. The best results of 
Randomized-Local reduction, when 16 clusters are in the system, is around 0.13. 

5.2. Random [1,3] weights 

Random inputs for weighting VMs in this work means that the values of weights are selected 
randomly and independently from integer values from a given range. We use two different ranges for 
Random weights. The first one is Random [1,3] weights. The range of it includes the values of 1, 2 and 3. 
The second one is Random [1, 15] weights, which includes the random selection of 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 
11, 12, 13, 14 and 15. 

The reason of choosing these two different random ranges are first to have small values of random 
weights to compare the total-max of these weights with both total-max with bigger random range [1-15] and 
with Poisson (2). Secondly, we will also compare the range [1, 15] with Poisson (8). The results for Random 
[1,3] weights, when the selection is from the range from 1 to 3, in Figure 2 are better than the best results of 
a Randomized-Local version of the Reduce-Max algorithm for most of the numbers of clusters and worse 
than Deterministic-Coordinated results in all cases. 



Figure 2. Total max of random-start-round-robin algorithm for random [1,3] weights 


The results start at around 0.29 for one cluster and end with 0.094 for 16 clusters. The case with the 
best result of a Randomized-Local version of Reduce-Max is almost the same. It starts from about 0.78 for 
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one cluster and ends with around 0.16 for 16 clusters. However, the results of Deterministic-Coordinated 
version increase from 0.079 for one cluster to 0.081 for 16 clusters. 

5.3. Random [1,15] weights 

In this subsection, results are shown for a random set when the selection is from 1 to 15 for different 
numbers of clusters. Overall, in Figure 3 the results of a Random-Start-Round-Robin are similar to those for 
random [1,3] weights. They are better than the best results of Randomized-Local version of the Reduce-Max 
algorithm for most of the numbers of clusters and worse than Deterministic-Coordinated results in all cases. 
They start at about 0.43. This value is close to the corresponding one for Poisson (8) weights. This value 
becomes 0.12 when 16 FVMs are applied. The result of Deterministic-Coordinated version is about 0.074 for 
one cluster and goes up to 0.08 for 16 clusters. Moreover, the best results of Randomized-Local version 
decrease from 0.72 to 0.16. 



Figure 3. Total max of random-start-round-robin algorithm for random [1,15] weights 


5.4. Poisson (2) weights 

For Poisson weights with=2, in Figure 4, the result of a Random-Start-Round-Robin algorithm is 
showing the worst results compared to the results of both Deterministic and Randomized versions of 
Reduce-Max. 



1 Cluster 2 Clusters 4 Clusters 8 Clusters 16 Clusters 

■ Deterministic ■ Round Robin B Best of Rondomized 


Figure 4. Total max of random-start-round-robin algorithm for poisson (2) weights 


Random-Start-Round-Robin result for one cluster is approximately 0.875. This value of total max is 
decreasing with the rising number of clusters. It reaches around 0.26 when 16 clusters are in the system. The 
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same case happens with the best result of a Randomized-Local version of Reduce-Max. The total max starts 
from about 0.77 for one cluster and ends with around 0.21 for 16 clusters. 

On the other hand, the results of a Deterministic-Coordinated version of Reduce-Max start from 
approximately 0.077. Then, an increase in the results happens until reaching 0.088 for 16 clusters. However, 
the results for Deterministic-Coordinated are indicating the best total max. 

5.5. Poisson (8) weights 

In regard to Poisson weights with=8, the results of the Random-Start-Round-Robin algorithm in 
Figure 5 are the worst results compared to the results of both Deterministic-Coordinated and Randomized- 
Local versions of Reduce-Max when 2, 4 and 8 clusters are applied. However, when one and 16 clusters are 
in the system, the results are better than the best results of a Randomized-Local version of the Reduce-Max 
algorithm and worse than Deterministic-Coordinated results. 

Random-Start-Round-Robin result for one Cluster is 0.47. This value of total max is falling to the 
value of 0.15 when 16 clusters are in the system. The best result of the Randomized-Local version of Reduce- 
Max starts from about 0.72 for one cluster and ends with around 0.16 for 16 clusters. However, the results of 
the Deterministic-Coordinated version that keeps giving the best results start from around 0.074. The results 
rise until reaching 0.08 when 16 clusters are applied. 



Figure 5. Total max of random-start-round-robin algorithm for poisson (8) weights 


6. CONCLUSION AND OPEN PROBLEM 

In this paper of Random-start-Round-Robin algorithm, we compare it with other related algorithms 
like Reduce-Max algorithm by in hierarchical systems. Overall, the results of Random-Start-Round-Robin 
algorithm shows better than the best results of Randomized-Local reduction technique of Reduce-Max 
algorithm. However, the Deterministic-Coordinated technique of Reduce-Max, as expected, gives better 
results but it needs more coordination time for processing. We can say Random-Start-Round-Robin algorithm 
is a better choice than Randomized-Local reduction and its results are not far from the Deterministic- 
Coordinated version of Reduce-Max. The future and interesting direction of this research are to test the 
efficiency of distributed monitoring in both hierarchical and homogeneous structures. 
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